MAIN MENU

Security & compliance

Upholding the highest standards to protect your data and ensure trust.

DEVO-2026-0005

Devolutions Server and Remote Desktop Manager are affected by multiple vulnerabilities.

Affected Products

Devolutions Server
2025.3.15.0 and earlier
Remote Desktop Manager
2025.3.30 and earlier

Change Log

Initial publication - 2026-03-03

Added Improper certificate validation in WinRM connections - 2026-03-19

Broken authentication in Microsoft Authentication mode of Devolutions Server

9.5 Critical - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).

The victim email must be known for the attack to succeed.

CVE(s)

CVE-2026-3224

Remediation and Workarounds

Upgrade to Devolutions Server 2025.3.16 or higher

If upgrade is not possible, Microsoft authentication mode should be disabled.

Credits

truff

Improper Enforcement of Behavioral Controls in PAM Multi-Account Deletion

5.1 Medium - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N

Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion. This can bypass intended protections and may interfere with Just-in-Time (JIT) privilege revocation, potentially resulting in persistent elevated privileges.

CVE(s)

CVE-2026-3130

Remediation and Workarounds

Upgrade to Devolutions Server 2025.3.16 or higher, 2026.1.6 or higher

Tamperable error messages

5.1 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

The error message page in Devolutions Server displayed a message provided in the URL. This could be used by a malicious actor to display spoofed error messages, for example in phishing attempts.

The page was modified to display error messages based on error codes.

CVE(s)

CVE-2026-3204

Remediation and Workarounds

Upgrade to DVLS 2026.1.6 or higher

Passwords can be saved when password saving is disabled

2.0 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Passwords of some connection types could still be saved even when the option “Disable password saving in vaults” is enabled in System Settings.

The affected connection types are:

  • AWS dashboard
  • AWS Identity and Access Management (IAM)
  • Microsoft Azure Table Storage Explorer
  • BeyondTrust Admin session
  • Dell iDRAC
  • Google Cloud explorer
  • HP iLO
  • Autofill login (native application)
  • Proxmox dashboard
  • Salesforce Cloud
  • Splashtop dashboard
  • TN3270
  • IBM5250
  • CyberArk dashboard
  • Amazon EC2

CVE(s)

CVE-2026-2590

Remediation and Workarounds

Upgrade to Remote Desktop Manager 2025.3.32 or higher, 2026.1.6 or higher

Improper certificate validation in WinRM connections

6.2 Medium - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.

CVE(s)

CVE-2026-4434

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.6 or higher